Changeset 6827

Timestamp:

20/04/10 16:40:56 (11 years ago)

Author:

pjkersha

Message:

Testing with new getTrustRoots method added.

Location:

TI12-security/trunk/MyProxyClient

Files:

• .project (added)
• .pydevproject (added)
• myproxy/client.py (modified) (22 diffs)
• test/myProxyClient.cfg (modified) (2 diffs)
• test/myProxyClientTest.cfg (modified) (5 diffs)
• test/test-ca.crt (added)
• test/test_myproxyclient.py (modified) (14 diffs)

TI12-security/trunk/MyProxyClient/myproxy/client.py

@@ -121 +121 @@
     http://grid.ncsa.uiuc.edu/myproxy/protocol/
     
-    @type getCmd: string
-    @cvar getCmd: get command string
-    
-    @type infoCmd: string
-    @cvar infoCmd: info command string
-    
-    @type destroyCmd: string
-    @cvar destroyCmd: destroy command string
-    
-    @type changePassphraseCmd: string
-    @cvar changePassphraseCmd: command string to change cred pass-phrase
-    
-    @type storeCmd: string
-    @cvar storeCmd: store command string
+    @type GET_CMD: string
+    @cvar GET_CMD: get command string
+    
+    @type INFO_CMD: string
+    @cvar INFO_CMD: info command string
+    
+    @type DESTROY_CMD: string
+    @cvar DESTROY_CMD: destroy command string
+    
+    @type CHANGE_PASSPHRASE_CMD: string
+    @cvar CHANGE_PASSPHRASE_CMD: command string to change cred pass-phrase
+    
+    @type STORE_CMD: string
+    @cvar STORE_CMD: store command string
+    
+    @type GET_TRUST_ROOTS_CMD: string
+    @cvar GET_TRUST_ROOTS_CMD: get trust roots command string
     
     @type _hostCertSubDirPath: string
@@ -141 +144 @@
     @type _hostKeySubDirPath: string
     @cvar _hostKeySubDirPath: sub-directory path to host key (as tuple)
+    
+    @type PRIKEY_NBITS: int
+    @cvar PRIKEY_NBITS: default number of bits for private key generated
+    
+    @type MESSAGE_DIGEST_TYPE: string
+    @cvar MESSAGE_DIGEST_TYPE: message digest type is MD5
+    
+    @type SERVER_RESP_BLK_SIZE: int
+    @cvar SERVER_RESP_BLK_SIZE: block size for retrievals from server
+    
+    @type MAX_RECV_TRIES: int
+    @cvar MAX_RECV_TRIES: maximum number of retrievals of size 
+    SERVER_RESP_BLK_SIZE before this client gives up
+    
+    @type DEF_PROXY_FILEPATH: string
+    @cvar DEF_PROXY_FILEPATH: default location for proxy file to be written to
+    
+    @type PROXY_FILE_PERMISSIONS: int
+    @cvar PROXY_FILE_PERMISSIONS: file permissions returned proxy file is 
+    created with
     
     @type propertyDefaults: tuple
@@ -147 +170 @@
     """
       
-    getCmd="""VERSION=MYPROXYv2
+    GET_CMD="""VERSION=MYPROXYv2
 COMMAND=0
 USERNAME=%s
@@ -153 +176 @@
 LIFETIME=%d"""
  
-    infoCmd="""VERSION=MYPROXYv2
+    INFO_CMD="""VERSION=MYPROXYv2
 COMMAND=2
 USERNAME=%s
@@ -159 +182 @@
 LIFETIME=0"""
  
-    destroyCmd="""VERSION=MYPROXYv2
+    DESTROY_CMD="""VERSION=MYPROXYv2
 COMMAND=3
 USERNAME=%s
@@ -165 +188 @@
 LIFETIME=0"""
 
-    changePassphraseCmd="""VERSION=MYPROXYv2
+    CHANGE_PASSPHRASE_CMD="""VERSION=MYPROXYv2
  COMMAND=4
  USERNAME=%s
@@ -172 +195 @@
  LIFETIME=0"""
    
-    storeCmd="""VERSION=MYPROXYv2
+    STORE_CMD="""VERSION=MYPROXYv2
 COMMAND=5
 USERNAME=%s
@@ -178 +201 @@
 LIFETIME=%d"""
 
+    GET_TRUST_ROOTS_CMD="""VERSION=MYPROXYv2
+COMMAND=7
+USERNAME=%s
+PASSPHRASE=%s
+LIFETIME=0
+TRUSTED_CERTS=1"""
+
     _hostCertSubDirPath = ('etc', 'hostcert.pem')
     _hostKeySubDirPath = ('etc', 'hostkey.pem')
@@ -183 +213 @@
     # Work out default location of proxy file if it exists.  This is set if a
     # call has been made previously to logon / get-delegation
-    defProxyFile = sys.platform == 'win32' and 'proxy' or \
-    sys.platform in ('linux2', 'darwin') and '/tmp/x509up_u%s'%(os.getuid()) \
-    or None     
-    
-    PRIKEY_NBITS = 2048
+    DEF_PROXY_FILEPATH = sys.platform == ('win32' and 'proxy' or 
+                                    sys.platform in ('linux2', 'darwin') and 
+                                    '/tmp/x509up_u%s' % (os.getuid()) 
+                                    or None)  
+    
+    PRIKEY_NBITS = 4096
     MESSAGE_DIGEST_TYPE = "md5"
     SERVER_RESP_BLK_SIZE = 8192
+    MAX_RECV_TRIES = 1024
     
     # valid configuration property keywords
@@ -245 +277 @@
         self.serverDN = os.environ.get('MYPROXY_SERVER_DN',
                                     MyProxyClient.propertyDefaults['serverDN'])
+        
+        # Environment variable may be quoted
+        if self.serverDN:
+            self.serverDN = self.serverDN.strip('"')
             
         # keyword settings
@@ -554 +590 @@
                         
         req.set_subject_name(x509Name)
-        
         req.sign(pubKey, messageDigest)
 
         return req.as_der()
-    
     
     def _deserializeResponse(self, msg, *fieldNames):
@@ -656 +690 @@
         
         if filePath is None:
-            filePath = MyProxyClient.defProxyFile
+            filePath = MyProxyClient.DEF_PROXY_FILEPATH
             
         if filePath is None:
@@ -663 +697 @@
         
         outStr = proxyCert + proxyPriKey + userX509Cert       
-        open(MyProxyClient.defProxyFile, 'w').write(outStr)
+        open(MyProxyClient.DEF_PROXY_FILEPATH, 'w').write(outStr)
         try:
             # Make sure permissions are set correctly
-            os.chmod(MyProxyClient.defProxyFile, 0600)
+            os.chmod(MyProxyClient.DEF_PROXY_FILEPATH, 
+                     MyProxyClient.PROXY_FILE_PERMISSIONS)
         except Exception, e:
             # Don't leave the file lying around if couldn't change it's
             # permissions
-            os.unlink(MyProxyClient.defProxyFile)
-            
-            log.error('Unable to set 0600 permissions for proxy file "%s": %s'% 
-                      (MyProxyClient.defProxyFile, e))
+            os.unlink(MyProxyClient.DEF_PROXY_FILEPATH)
+            
+            log.error('Unable to set %o permissions for proxy file "%s": %s'% 
+                      (MyProxyClient.PROXY_FILE_PERMISSIONS,
+                       MyProxyClient.DEF_PROXY_FILEPATH, e))
             raise
 
@@ -684 +720 @@
         @return: tuple containing proxy cert, private key, user cert"""
         if filePath is None:
-            filePath = MyProxyClient.defProxyFile
+            filePath = MyProxyClient.DEF_PROXY_FILEPATH
             
         if filePath is None:
@@ -690 +726 @@
                                      "platform?")
                
-        proxy = open(MyProxyClient.defProxyFile).read()
+        proxy = open(MyProxyClient.DEF_PROXY_FILEPATH).read()
         
         # Split certs and key into separate tuple items
@@ -744 +780 @@
     
         # send info command - ensure conversion from unicode before writing
-        cmd = MyProxyClient.infoCmd % username
+        cmd = MyProxyClient.INFO_CMD % username
         conn.write(str(cmd))
     
@@ -807 +843 @@
     
         # send command - ensure conversion from unicode before writing
-        cmd = MyProxyClient.changePassphraseCmd % (username, 
-                                                   passphrase,
-                                                   newPassphrase)
+        cmd = MyProxyClient.CHANGE_PASSPHRASE_CMD % (username, 
+                                                     passphrase,
+                                                     newPassphrase)
         conn.write(str(cmd))
     
@@ -864 +900 @@
     
         # send destroy command - ensure conversion from unicode before writing
-        cmd = MyProxyClient.destroyCmd % username
+        cmd = MyProxyClient.DESTROY_CMD % username
         conn.write(str(cmd))
     
@@ -963 +999 @@
     
         # send store command - ensure conversion from unicode before writing
-        cmd = MyProxyClient.storeCmd % (username, lifetime)
+        cmd = MyProxyClient.STORE_CMD % (username, lifetime)
         conn.write(str(cmd))
     
@@ -1033 +1069 @@
     
         # send get command - ensure conversion from unicode before writing
-        cmd = MyProxyClient.getCmd % (username, passphrase, lifetime)
+        cmd = MyProxyClient.GET_CMD % (username, passphrase, lifetime)
         conn.write(str(cmd))
     
@@ -1065 +1101 @@
                                                     (nCerts, len(pemCerts)))
     
-        if key is not None:
+        if keys is not None:
             # Return certs and private key
             # - proxy or dynamically issued certificate (MyProxy CA mode)
             # - private key
             # - rest of cert chain if proxy cert issued
-            pemKey = key.as_pem(cipher=None)
+            pemKey = keys.as_pem(cipher=None)
             creds = [pemCerts[0], pemKey]
             creds.extend(pemCerts[1:])
@@ -1083 +1119 @@
         """Retrieve proxy cert for user - same as logon"""
         return self.logon(*arg, **kw)
+    
+    def getTrustRoots(self, username='', passphrase=''):
+        """Get trust roots for the given MyProxy server
+        
+        @type username: basestring
+        @param username: username (optional)
+        
+        @type passphrase: basestring
+        @param passphrase: pass-phrase (optional)
+        server
+        
+        @return: trust root files as a dictionary keyed by file name with each 
+        item value set to the file contents
+        @rtype: dict
+        """
+        # Set-up SSL connection
+        conn = self._initConnection()
+        conn.connect((self.hostname, self.port))
+        
+        # send globus compatibility stuff
+        conn.write('0')
+    
+        # send get command - ensure conversion from unicode before writing
+        cmd = MyProxyClient.GET_TRUST_ROOTS_CMD % (username, passphrase)
+        conn.write(str(cmd))
+    
+        # process server response chunks until all consumed
+        dat = ''
+        try:
+            for tries in range(MyProxyClient.MAX_RECV_TRIES):
+                dat += conn.recv(MyProxyClient.SERVER_RESP_BLK_SIZE)
+        except SSL.SSLError:
+            # Expect this exception when response content exhausted
+            pass
+        
+        # Precaution
+        if tries == MyProxyClient.MAX_RECV_TRIES:
+            log.warning('Maximum %d tries reached for getTrustRoots response '
+                        'block retrieval with block size %d', 
+                        MyProxyClient.MAX_RECV_TRIES,
+                        MyProxyClient.SERVER_RESP_BLK_SIZE)
+            
+        respCode, errorTxt, fields = self._deserializeResponse(dat, 
+                                                               'TRUSTED_CERTS')
+        if respCode:
+            raise MyProxyClientGetError(errorTxt)
+        
+        # Skip terminating line
+        lines = dat.split('\n')[:-1]
+        log.debug("Response = %r", lines)
+
+        fileNameKeys = fields['TRUSTED_CERTS'].split(',')
+        respDict = dict([tuple(line.split('=', 1)) 
+                         for line in lines if line.startswith('FILEDATA_')])
+        
+        filesDict = dict([(k, base64.b64decode(respDict['FILEDATA_' + k])) 
+                          for k in fileNameKeys])
+        
+        return filesDict
+        

TI12-security/trunk/MyProxyClient/test/myProxyClient.cfg

@@ -21 +21 @@
 # CN is usually set to "host/<fqdn>".  Delete this element and set from 
 # MYPROXY_SERVER_DN environment variable if preferred
-serverDN=/O=NDG/OU=Raphael/CN=raphael
+#serverDN=/O=NDG/OU=Raphael/CN=raphael
 
 # Set "host/" prefix to host cert CN as is default with globus
@@ -44 +44 @@
 
 #caCertFilePath=$MYPROXYCLIENT_UNITTEST_DIR/ndg-test-ca.crt
-caCertFilePath=$MYPROXYCLIENT_UNITTEST_DIR/ndg-glue-ca.crt
+caCertFilePath=$MYPROXYCLIENT_UNITTEST_DIR/test-ca.crt

TI12-security/trunk/MyProxyClient/test/myProxyClientTest.cfg

@@ -15 +15 @@
 # terminal.  To set a null password, leave the field in place but set to
 # blank
-[test1Store]
+[test01Store]
 username: testuser
 passphrase: testpassword
@@ -24 +24 @@
 ownerPassphrase: testpassword
 
-[test2GetDelegation]
+[test02GetDelegation]
 username: testuser
 passphrase: testpassword
@@ -31 +31 @@
 proxyKeyFileOut: $MYPROXYCLIENT_UNITTEST_DIR/proxy.key
 
-[test3Info]
+[test03Info]
 username: testuser
 ownerCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
@@ -37 +37 @@
 ownerPassphrase: testpassword
 
-[test4ChangePassphrase]
+[test04ChangePassphrase]
 username: testuser
 ownerCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt
@@ -45 +45 @@
 ownerPassphrase: testpassword
 
-[test5Destroy]
+[test05Destroy]
 username: testuser
 ownerCertFile: $MYPROXYCLIENT_UNITTEST_DIR/proxy.crt

TI12-security/trunk/MyProxyClient/test/test_myproxyclient.py

@@ -10 +10 @@
 __contact__ = "Philip.Kershaw@stfc.ac.uk"
 __revision__ = '$Id$'
+import logging
+logging.basicConfig(level=logging.DEBUG)
 
 import unittest
@@ -16 +18 @@
 import getpass
 import traceback
+from os import path
+
+from M2Crypto import X509
 
 from myproxy.client import CaseSensitiveConfigParser, MyProxyClient
 
-xpdVars = os.path.expandvars
-jnPath = os.path.join
-mkPath = lambda file: jnPath(os.environ['MYPROXYCLIENT_UNITTEST_DIR'], file)
+mkPath = lambda file: path.join(os.environ['MYPROXYCLIENT_UNITTEST_DIR'], file)
 
 class _MyProxyClientTestCase(unittest.TestCase):
@@ -31 +34 @@
     if 'MYPROXYCLIENT_UNITTEST_DIR' not in os.environ:
         os.environ['MYPROXYCLIENT_UNITTEST_DIR'] = \
-            os.path.abspath(os.path.dirname(__file__))
+                                        path.abspath(path.dirname(__file__))
 
 
@@ -37 +40 @@
     '''Tests require a connection to a real MyProxy service running on a host
     '''
+    CONFIG_FILENAME = "myProxyClientTest.cfg"
     
     def setUp(self):
@@ -43 +47 @@
         
         configParser = CaseSensitiveConfigParser()
-        configFilePath = jnPath(os.environ['MYPROXYCLIENT_UNITTEST_DIR'],
-                                "myProxyClientTest.cfg")
+        configFilePath = path.join(os.environ['MYPROXYCLIENT_UNITTEST_DIR'],
+                                   MyProxyClientLiveTestCase.CONFIG_FILENAME)
         configParser.read(configFilePath)
         
@@ -50 +54 @@
         for section in configParser.sections():
             self.cfg[section] = dict(configParser.items(section))
-            
-        self.clnt = MyProxyClient(
-                        cfgFilePath=xpdVars(self.cfg['setUp']['cfgFilePath']))
-        
-
-    def test1Store(self):
-        '''test1Store: upload X509 cert and private key to repository'''
-        thisSection = self.cfg['test1Store']
+        
+        configFilePath = path.expandvars(self.cfg['setUp']['cfgFilePath'])
+        self.clnt = MyProxyClient(cfgFilePath=configFilePath)
+        
+    def test01Store(self):
+        # upload X509 cert and private key to repository
+        thisSection = self.cfg['test01Store']
         
         passphrase = thisSection.get('passphrase')
@@ -69 +72 @@
                                                      " owner pass-phrase: ")
 
-        certFile = xpdVars(thisSection['signingCertFilePath'])
-        keyFile = xpdVars(thisSection['signingPriKeyFilePath'])
-        ownerCertFile = xpdVars(thisSection['ownerCertFile'])
-        ownerKeyFile = xpdVars(thisSection['ownerKeyFile'])
+        certFile = path.expandvars(thisSection['signingCertFilePath'])
+        keyFile = path.expandvars(thisSection['signingPriKeyFilePath'])
+        ownerCertFile = path.expandvars(thisSection['ownerCertFile'])
+        ownerKeyFile = path.expandvars(thisSection['ownerKeyFile'])
             
         self.clnt.store(thisSection['username'],
@@ -84 +87 @@
         print("Store creds for user %s" % thisSection['username'])
     
-    
-    def test2GetDelegation(self):
-        '''test2GetDelegation: retrieve proxy cert./private key'''
-        thisSection = self.cfg['test2GetDelegation']
+    def test02GetDelegation(self):
+        # retrieve proxy cert./private key
+        thisSection = self.cfg['test02GetDelegation']
         
         passphrase = thisSection.get('passphrase')
@@ -94 +96 @@
                                                 "passphrase: ")
          
-        proxyCertFile = xpdVars(thisSection['proxyCertFileOut'])
-        proxyKeyFile = xpdVars(thisSection['proxyKeyFileOut'])
+        proxyCertFile = path.expandvars(thisSection['proxyCertFileOut'])
+        proxyKeyFile = path.expandvars(thisSection['proxyKeyFileOut'])
 
         creds = self.clnt.getDelegation(thisSection['username'], 
@@ -104 +106 @@
         open(proxyKeyFile, 'w').write(creds[1])
 
-
-    def test3Info(self):
-        '''test3Info: Retrieve information about a given credential'''
-        thisSection = self.cfg['test3Info']
+    def test03Info(self):
+        # Retrieve information about a given credential
+        thisSection = self.cfg['test03Info']
         
         # ownerPassphrase can be omitted from the congif file in which case
@@ -118 +119 @@
         credExists, errorTxt, fields = self.clnt.info(
                                      thisSection['username'],
-                                     xpdVars(thisSection['ownerCertFile']),
-                                     xpdVars(thisSection['ownerKeyFile']),
+                                     path.expandvars(thisSection['ownerCertFile']),
+                                     path.expandvars(thisSection['ownerKeyFile']),
                                      ownerPassphrase=ownerPassphrase)
         print "test3Info... "
@@ -126 +127 @@
         print "fields: %s" % fields
 
-
-    def test4ChangePassphrase(self):        
-        """test4ChangePassphrase: change pass-phrase protecting a given
-        credential"""
-        thisSection = self.cfg['test4ChangePassphrase']
+    def test04ChangePassphrase(self):        
+        # change pass-phrase protecting a given credential
+        thisSection = self.cfg['test04ChangePassphrase']
         
         passphrase = thisSection.get('passphrase')
@@ -153 +152 @@
 
         self.clnt.changePassphrase(thisSection['username'],
-                                   passphrase,
-                                   newPassphrase, 
-                                   xpdVars(thisSection['ownerCertFile']),
-                                   xpdVars(thisSection['ownerKeyFile']),
-                                   ownerPassphrase=ownerPassphrase)
+                               passphrase,
+                               newPassphrase, 
+                               path.expandvars(thisSection['ownerCertFile']),
+                               path.expandvars(thisSection['ownerKeyFile']),
+                               ownerPassphrase=ownerPassphrase)
         print("Changed pass-phrase")
 
-
-    def test5Destroy(self):
-        '''test5Destroy: destroy credentials for a given user'''
-        thisSection = self.cfg['test5Destroy']
+    def test05Destroy(self):
+        # destroy credentials for a given user
+        thisSection = self.cfg['test05Destroy']
         
         ownerPassphrase = thisSection.get('ownerPassphrase')
@@ -171 +169 @@
 
         self.clnt.destroy(thisSection['username'], 
-                          ownerCertFile=xpdVars(thisSection['ownerCertFile']),
-                          ownerKeyFile=xpdVars(thisSection['ownerKeyFile']),
-                          ownerPassphrase=ownerPassphrase)
+                  ownerCertFile=path.expandvars(thisSection['ownerCertFile']),
+                  ownerKeyFile=path.expandvars(thisSection['ownerKeyFile']),
+                  ownerPassphrase=ownerPassphrase)
         print("Destroy creds for user %s" % thisSection['username'])
         
+    def test06GetTrustRoots(self):
+        # Test get trust roots command
+        trustRoots = self.clnt.getTrustRoots()
+        self.assert_(trustRoots)
+        self.assert_(isinstance(trustRoots, dict))
+        self.assert_(len(trustRoots) > 0)
+        for fileName, fileContents in trustRoots.items():
+            if fileName.endswith('.0'):
+                # test parsing certificate
+                cert = X509.load_cert_string(fileContents, X509.FORMAT_PEM)
+                self.assert_(cert)
+                self.assert_(isinstance(cert, X509.X509))
+                subj = cert.get_subject()
+                self.assert_(subj)
+                print("Trust root certificate retrieved with DN=%s" % subj)
+                
         
 from myproxy.utils.openssl import OpenSSLConfigError